Model checking programmable router configurations

Abstract

Programmable networks offer the ability to customize routerbehaviour at run time, thus increasing flexibility of network administration.Programmable network routers are configured using domain-specificlanguages. The ability to evolve router programs dynamically creates potentialfor misconfigurations. By exploiting domain-specific abstractions,we are able to translate router configurations into Promela and validatethem using the Spin model checker, thus providing reasoning support forour domain-specific language. To evaluate our approach we use our configurationlanguage to express the IETF?s Differentiated Services specificationand show that industrial-sized DiffServ router configurations canbe validated using Spin on a standard PC.